5 vulnerabilities within the well-liked Fluent Bit open supply device might permit attackers to take over cloud providers, Oligo Safety warns.
The light-weight, extremely scalable knowledge agent helps the gathering, processing, and forwarding of logs, metrics, and traces. It’s extensively used as an ordinary in observability pipelines throughout cloud environments and container orchestration platforms.
Fluent Bit is constructed round enter plugins that collect knowledge from varied sources, and output plugins that ship it to specified locations. For identification functions, every report carries a tag that additionally acts as a routing label.
Tracked as CVE-2025-12972 and described as an absence of sanitization of tag values which can be used to generate filenames, the primary of the newly disclosed bugs permits attackers to inject path traversal sequences.
This allows attackers to overwrite arbitrary information on disk, resulting in log tampering and distant code execution (RCE), Oligo explains. Configurations the place an outlined ‘File’ key’s lacking from the file output are affected.
The second difficulty, CVE-2025-12970, a stack-based buffer overflow within the Docker enter, permits attackers to create containers with extraordinarily lengthy names that exceed the allotted mounted 256-byte buffer, resulting in crashes and code execution. Solely setups with the Docker enter are affected.
The third vulnerability, tracked as CVE-2025-12978, permits attackers to spoof trusted tags by guessing the primary character of a tag key in HTTP, Elasticsearch, and Splunk inputs. This might result in log rerouting, filter bypasses, and the injection of malicious or modified information.
The fourth bug, CVE-2025-12977, exists as a result of tags derived from user-controlled fields bypass sanitization, permitting attackers to inject characters and sequences resulting in log corruption or broader output-based assaults. It impacts HTTP, Elasticsearch, and Splunk configurations.Commercial. Scroll to proceed studying.
Tracked as CVE-2025-12969, the fifth flaw exists as a result of, when configured with Safety.Customers, Fluent Bit forwarders silently disable authentication. Distant attackers can exploit the difficulty to inject false telemetry, ship logs, or flood detection programs.
Given Fluent Bit’s widespread presence throughout AWS, Google Cloud, Microsoft Azure, AI labs, monetary providers, and extra, the newly recognized safety defects pose a vital threat to the cloud ecosystem, as they might permit attackers to trigger disruptions and acquire deep entry to infrastructure, Oligo says.
“In observe, this implies an attacker exploiting these vulnerabilities couldn’t solely disrupt cloud providers and tamper with knowledge, but in addition take over the logging service itself,” the safety agency notes, warning that CVE-2025-12972 was launched eight years in the past.
The safety defects have an effect on Fluent Bit variations previous to 4.1.1 and 4.0.12. Updating to essentially the most steady launch resolves all vulnerabilities.
Oligo additionally notes that it reported the bugs to AWS, which instantly addressed them by migrating to Fluent Bit model 4.1.1.
Associated: CISA Confirms Exploitation of Current Oracle Identification Supervisor Vulnerability
Associated: SquareX and Perplexity Quarrel Over Alleged Comet Browser Vulnerability
Associated: Vulnerability Allowed Scraping of three.5 Billion WhatsApp Accounts
Associated: Current 7-Zip Vulnerability Exploited in Assaults
